This article is a bit special because it is not directly linked to computer security in a way most people understand it.
Since more and more devices are connected to the internet I feel it’s about time to write an article about something most of us use without too much caution.
And writing about a fridge gone berserk is not something I feel most people would listen up….
But now, some guys came up with something extraordinary.
And it’s one of the really good examples for all those guys who think computer security and privacy is not affecting you because you “have nothing to hide”.
Today’s cars do feature a whole lot of new features. With the availability of cheap and powerful electronics, computer systems have entered the car and will become more and more an issue in modern mobility solutions.
I remember exactly when, 15 years ago, my car I then purchased had a navigation system in it. Well, sort of. It was working. Sort of. And it broke down (completely, including the need to replace it) three times in a bit more than 18 months.
The car was so ridiculously sensitive against interferences with other electronic devices that it completely broke down six times in a row in one of the most frequented highway tunnels we have here – just to start up after being pulled out of the tunnel as if there never had been an issue.
You might say that this was a problem of past years?
Well, yes. And clearly: NO, not at all!
With today’s features giving you wireless control of your car the problem is even bigger. Much bigger.
Pity is: you won’t notice (most of the time) until it’s too late.
BMW has offered it’s “Connected Drive” software with a really ugly flaw.
I won’t go on about the hack in detail here (see the links above) but they, just to name one example, did not dare to encrypt the communication. And, in addition, they made it virtually possible to hack any car without problems.
The error message, for example, you got when issuing a command to the car without knowing it’s correct VIN contained… yes, your’re right: The VIN.
The first problem, the lack of encryption, wasn’t even the cars fault. It’s been the fault of the guys designing the server software / communication procedures.
So, basically here you are with a connected car that does 250KM/h – and no idea who might actually tamper with it. Nice.
Actually, there’s a better example: The new Jeep Cherokee has similar features – and probably even more gadgets you can control over the internet.
How this turns out? Well, grab a (big) bag of popcorn and enjoy:
Since those attacks (that could be right life-threatening) can be carried out without really leaving any traces the chances that they actually are going to be carried out are quite high. If the software gets in the wrong hands (and it sooner or later will), the shit will literally hit the fan. This could be the tool for the perfect crime…
But why do we experience those basic security problems that should have been solved years ago now again in cars?
Basically, most of the security problems cars now face are quite old. The problem with having so much software in a car (same is for houses, but that’s for sure less fun) is probably that the development of a car is a very complex process as such. Complex processes take up a lot of time.
From the first sketches to a car you actually can buy takes 2-4 years, at least. This signifies that at the time you actually buy your new car, at least the computer equipment is dead-old and outdated. As are the security protocols, sometimes ciphers.
Anyone who has ever tried to connect a new iPhone with a five year old car knows what I mean.
And for those remembering the FDIV-Bug that Intel suffered from… well. It won’t be so very simple to correct those bugs in a car.
An additional problem is that car makers aren’t very experienced in software engineering, so they buy the software at a provider like Conti or TWE.
And in the end, not even the engineers actually designing and developing the car have a clue, what’s inside the software they provide with the car.
And mind you, this problem is not restricted on cars. It’s a problem every device you use might have if it’s connected to a network. May it be the fridge, the freezer or your washing machine… it really dosn’t matter.
It’s a bit like buying your bread at a butcher. Might be tasty, but you can’t be 100% sure it’s really been out of a bakery.
And it’s the same with all devices you buy that can be remote controlled over the internet: You really have no clue what those devices are really doing in their “sparetime”. Being careful is the only chance you actually have!
So, while you may not have anything to hide, you’d better hide your car now – because there might be someone willing to hide it from you…
And… yes: Your car will have security problems. Go, fix them!